basically i want to be able to search if users have visited sites that are listed in phishtank.
Right you are, @martin_mueller, I'll ping the blog post author and ask him to fix the link.
The link in that blog is broken, apparently http://apps.splunk.com/app/995/ is correct... there's a colon missing after http
.
This would make a great TA. If I have time I might even have a go a writing one myself.
Sounds like a job for a scripted lookup. Write a script that performs a query against whatever API phishtank has, and set that up as a lookup for your data.